My wife is quite a bit smarter than I am. She is also more educated that I am. Frankly, I'm happy she talks to me at all.

She put a photo on Facebook last week of she and a friend and was careful to double-check that the photo was set to "Friends only."

A few days later she rushed in and told me that she thought the photo was public even though it was set as Friends only.

"Why?"

"Because random people that I don't know are commented on this photo! Like, who is this guy? I don't want him to see this - I don't know him! Why did they let non-friends see it?"

I looked for a minute and noticed that she had "tagged" her other friend in the photo as in this example photo below:

In this photo there are four people tagged. When you tag someone they are notified that they've been tagged and they can remove the tag which removes it from their "photos of me" list. The photo above is totally public but let's say it was posted by me and I tagged my three friends and marked as "friends only."

Who can see the photo of me and my 3 friends? Who can see the photo of my wife and her friend when the photo is marked Friends?

Answer: The union of all the friends of everyone tagged in the photo. If someone else sees the photo and tags some more people, the circle of visibility for that photo or post expands.

This may seem obvious to a software engineer or someone with a background in set theory but it's not obvious even to smart regular folks. It certainly surprised my wife although she gets it now. Here's the thing, though. Now she says she really is less likely to put photos on Facebook and certainly less likely to tag folks in photos.

Remember that when you aren't paying for something (like Facebook), someone is paying. The advertisers are paying and you, your friends and all your info are the product.

Reginald points out that when you grant an application (Farmville, etc) in Facebook access to your profile you are often granting that application access to your friends personal information. That means that your annoying friend who is always pushing the Mob Wars invites has likely granted an application access to your information by proxy.

UPDATE: When you are sharing something note that you can pull down the privacy dropdown, select custom and make changes then hover your mouse over the gear to get a plain English tooltip showing the resulting visibility of this update:

Your Homework - and pass it on

Go log into Facebook and in the upper right corner click Privacy Settings:

Under tagging you can choose what happens when someone tags you and tags that friends add to your own posts or photos. You can also control tag suggestions. You can lock this down as much as you want.

Next, click on Apps and Websites and freak out when you see how many you (or your teen) has added. You can remove them as you like. Most importantly, click on "How people bring your info into apps they use."

How much of this info to you want your friends sharing with their applications? Turn this stuff off.

And finally, check out the Public Search option. Do you want Facebook and your public timeline to show up when someone Googles for you or your child? If not, turn this OFF.

You can also go back in time and "limit old posts." This will take posts from years ago when you didn't know this information and make them visible to friends only.

Facebook will likely try to talk you out of it. Use your judgment.

Now, for a fun over-dinner exercise try explaining this to your 14 year old and why everyone should be careful about information leakage. Seriously. At least try.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

All I want to know is how do I make it so photos I upload from my phone are friends only (it's nearly always pictures of my kids) and any links I share (regardless of where they came from...Twitter, Share on the website, status updates from anywhere, etc) are all public? That's all I care about. :-\

I got to the point where the goal posts are being moved so often by Facebook that the only rational approach for me was to delete the account. I like Facebook and the connections it allows but I find it too complex to stay up to date with all the ramifications. Once the data became open to app companies then theoretically all that information is available to everyone given any security leak. I haven't missed it to be honest. And no one else has either (no one has yet commented that I'm suddenly missing from Facebook). And after watching that video, "Don't Talk To Police" on Youtube I'm apprehensive about having any information available publicly available.

Chad

Friday, 13 April 2012 23:13:13 UTC

I've never bothered to look into it, but if I say apps can't access any of my data, does that stop people who have a windows phone from automatically importing that information into my details in the people hub.

Scott, I think you missed a very big option (and easy one) in the Privacy Settings, that precisely address the problem your wife had, about friends of tagged friends being able to see the post/picture, check it out:

Dennis, no people wont. You may always have some fresh kids joining up that don't know or yet care about privacy. The someday they or one of their friends will get a scare like Scotts' wife did. Or a parent will hear about a child getting harassed after school by some child stalker that thought the kid really wanted their attentions.

Its just a matter of how long it takes someone to realize how stupid it is to tell the entire world every detail about their personal life.

michael lang

Saturday, 14 April 2012 07:44:58 UTC

Another reason why I deleted my Facebook account long ago. Never will go back to it.

Saturday, 14 April 2012 09:21:38 UTC

I'm with Dennis - anything I'd be unhappy about becoming public doesn't go on a wall. I don't quite treat it as public, but I definitely treat it as potentially public.

Young people are likely to understand these privacy issues at a much deeper level than we think, or than eve we understand it; to them, the Facebook culture is representative of the larger the cultural norm for privacy. This norm is accepted deep in their worldview, and as time goes on and these younger people become more socially influential, these attitudes will prevail.

To those who lived their entire lives fiercely defending privacy, this evolving norm rightly appears shocking, and I'm not saying it would harm younger people to understand the role privacy has historically played (primarily in constitutional protections against search and seizure rooted in both philosophy and directly in colonial tensions, as well as in various contemporary issues like LGBT rights and terrorism). But it also helps us to understand that culture shifts as needed to maintain equilibrium with the environment surrounding it (which includes the internet "environment") while permitting society to survive, if not thrive, economically.

The thing that amazed me the most in this post is that nowadays people expect privacy when posting on Internet. You don't want anybody to see a picture ? Simple, don't put it on the Internet. That's all. Real smart people understand this.

Jean

Sunday, 15 April 2012 13:03:53 UTC

Jean, I share pictures on the internet for my family and a few close 'real' friends to see them. If that site wants to offer paid printing on those photos to offset their cost, then I am fine with that. If they want to expand who can see the photos without my explicit grant, then I am NOT fine with that.

mikemcg,

As long as people are judged and have repercussions for certain kind of personal life moments posted, people in any generation will want privacy. People will continue to want to post things that are personal. But there will always be some things they want to share with one group, but not another group. People have that assurance with email, texting, phone calls, etc... They expect the communication provider only sends it to the intended recipient(s). People expect their social network to do the same thing.

A provider may be required by law to share a communication with law enforcement by subpoena, and there may be occasional hacking of a communication system to intercept certain communications. But that is an inherent risk in any communication.

MIchael Lang

Monday, 16 April 2012 16:24:49 UTC

And when you're done, go to the upper-right hand corner of the window and select 'log out'.

Peter Clark

Tuesday, 17 April 2012 22:25:43 UTC

I liked this article. I liked it so much that I translated it to Turkish and passed it along in my blog.